The Indian government is seeking to ensure that it will have access to
the content of communications sent over Gmail and the Skype and
BlackBerry networks in a readable format. The government wants the
power to access communications as a means to combat terrorism. Skype
and BlackBerry parent company RIM have been given two weeks to comply,
or they could find themselves banned in India.

Quick impressions:

While I’ve expressed concerns before over the decryption of Skype calls in China and Germany by the government, it has mainly been an issue of “is Skype business ready”. While I’ve been okay with the use of Skype for personal communications, that is it.

Blackberry communications is another story. A large percentage of the 41 million Blackberry users around the world are “corporate” users. Which should mean that most of the data between those devices is work data (though we know quite a bit isn’t). RIM supposedly has a symmetric key system while would mean that only the customer creates their own encryption key. It would be very bad for RIM for this not to be the case and would cause a lot of issues with their customer base (many of which have chosen them for their secure messaging).

Gmail… again, this shouldn’t be your corporate mail system. If Google willingly allows this, you can choose to opt out and choose another provider. So while I’m not keen on the idea, at least you have the option.

In presentations I give on security, I have become accustomed to a pattern of presenting the information. Step one, pose questions or situations that allow your audience to immediately identify with you or the subject. Step two, provide case studies or scenarios that provide examples to support the subject. Step three, give the audience some actionable items.

This article is all about supporting step three. If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.

But I digress… Most all the offline questions I have received from my last article have had a common theme:

I did this, did I get a virus?

My insert_model_phone_name_here is acting funny what do I do?

I installed this app, is it legit?

Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid. You want to put preventative measures in place so that these concerns should be minimized.

You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:

Loss is your biggest risk, don’t lose your phone. Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location. Maintaining physical control of the device is the best thing you can do to avoid losing your information.

Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device. This is the single biggest thing that users complain about the inconvenience of. If anyone were to pick up your device, do not leave it wide open for anyone to read. Protect it.

If your device offers encryption of the device and any removable media, use it. If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information. Make it difficult for someone to get the data.

Just because you can download hundreds of applications, does not mean you should. Be aware that many free applications are made to get personal information from you (again see my other post on this). Others may actually be malicious.

When downloading applications, be especially careful of banking applications. Only download them from trusted sources. If you can download directly from the bank, that is your best option. If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.

Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.

If your device supports WiFi, only connect to secure and trusted networks. A network called “FreeWiFi” usually is not the best option.

Limit the amount of data you store on your phone. If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it. Limiting the amount of data on the device limits your risk if the device is lost or stolen.

From a financial liability standpoint, inquire about cell phone insurance from your provider. In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.

If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost. If you remove all the data, you can limit your loss to just the device itself.

Inquire with your provider and check with device manufacturer for device patches and upgrades. Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.

If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.

Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone. If you follow these steps, chances are you should be okay. In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off. But for the average person, you’re going to be okay.